I'm exploring some uses with Squid proxy 2.7 and I have seen a good number of examples for url rewrites that take urls such as: http: //somesitename.com and then the rewriter can change the url to: https: //somesitename.com

And those examples work great.

What I'm wondering though, is if its possible to do the reverse with a squid url rewriter. that is, to go from https: //somesitename.com to http: //somesitename.com ?

Simply trying to edit the script file that handles the rewrites doesn't seem to do the trick. So I was wondering if there are some certain things I have to configure squid to do first, if its even possible to do what I am asking.

I have my browser manually set up to have squid as a proxy for all requests and I can see https requests showing up in my squid access.log file (via the CONNECT method).

1 Answer
1

Moving from http:// to https:// is relatively easy: the squid server accepts the TCP connection, then sends a HTTP response telling the client that the content has moved to the new URL. The client then retries the request on the new URL.

Moving from https:// to http:// is harder: you have to establish the TCP connection, and then establish the HTTPS connection - which is going to require that you can supply a certificate that the client will trust as being the certificate of the site it was trying to connect to. Only after doing all that are you able to send the response telling the client it needs to go try the http:// URL.

Generally speaking, your Squid server will never see the URL that the client is requesting - it will just see a request to CONNECT to a specific IP:Port. SSL requires that the connection between the web server and the client is encrypted the whole way - so all Squid can do is proxy the TCP connection. The details of exactly which hostname and path the client wants will not be communicated until after the HTTPS connection is set up - and then they're communicated over the encrypted connection, so the proxy server can't see them.